Blog Layout

What is push-bombing?

The O Team • 20 June 2023

Cloud account takeover has become a major problem for organisations. Think about how much work your company does that requires a username and password. Employees end up having to log in to many different systems or cloud apps. Hackers then use various methods to get those login credentials with the goal to gain access to business data as a user, as well as launching sophisticated attacks and sending insider phishing emails. 


How bad has the problem of account breaches become?

Between 2019 and 2021, account takeover (ATO) rose by 307%.


Doesn’t Multi-Factor Authentication Stop Credential Breaches?


Many organisations and individuals use multi-factor authentication (MFA). It's a way to stop attackers that have gained access to their usernames and passwords. MFA is very effective at protecting cloud accounts and has been for many years.


But it’s that effectiveness that has spurred workarounds by hackers. One of these nefarious ways to get around MFA is push-bombing.


How Does Push-Bombing Work?


When a user enables MFA on an account, they typically receive a code or authorisation prompt of some type. The user enters their login credentials. Then the system sends an authorisation request to the user to complete their login.


The MFA code or approval request will usually come through some type of “push” message. Users can receive it in a few ways:

  • SMS/text
  • A device popup
  • An app notification

Receiving that notification is a normal part of the multi-factor authentication login. It’s something the user would be familiar with.


With push-bombing, hackers start with the user’s credentials. They may get them through phishing or from a large data breach password dump. They take advantage of that push notification process. Hackers attempt to log in many times. This sends the legitimate user several push notifications, one after the other.


Many people question the receipt of an unexpected code that they didn’t request. But when someone is bombarded with these, it can be easy to mistakenly click to approve access.

Push-bombing is a form of social engineering attack designed to:

  • Confuse the user
  • Wear the user down
  • Trick the user into approving the MFA request to give the hacker access


Ways to Combat Push-Bombing


Educate Employees

Knowledge is power. When a user experiences a push-bombing attack it can be disruptive and confusing. If employees have education beforehand, they’ll be better prepared to defend themselves.

  • Let employees know what push-bombing is and how it works.
  • Provide them with training on what to do if they receive MFA notifications they didn’t request.
  • You should also give your staff a way to report these attacks. This enables your IT security team to alert other users. They can then also take steps to secure everyone’s login credentials.


Reduce Business App “Sprawl”

On average, employees use 36 different cloud-based services per day. That’s a lot of logins to keep up with. The more logins someone has to use, the greater the risk of a stolen password.

  • Take a look at how many applications your company uses.
  • Look for ways to reduce app “sprawl” by consolidating.
  • Platforms like Microsoft 365 and Google Workspace offer many tools behind one login.
  • Streamlining your cloud environment improves security and productivity.


Adopt Phishing-Resistant MFA Solutions

You can thwart push-bombing attacks altogether by moving to a different form of MFA. Phishing-resistant MFA uses a device passkey or physical security key for authentication. 

There is no push notification to approve with this type of authentication. This solution is more complex to set up, but it’s also more secure than text or app-based MFA.


Enforce Strong Password Policies

For hackers to send several push-notifications, they need to have the user’s login. Enforcing strong password policies reduces the chance that a password will get breached.

Standard practices for strong password policies include:

  • Using at least one upper and one lower-case letter
  • Using a combination of letters, numbers, and symbols
  • Not using personal information to create a password
  • Storing passwords securely
  • Not reusing passwords across several accounts


Put in Place an Advanced Password Management Solution

Advanced password management solutions can also help you prevent push-bombing attacks. They will typically combine all logins through a single sign-on solution. Users, then have just one login and MFA prompt to manage, rather than several.


Additionally, businesses can use password management solutions to install contextual login policies. These enable a higher level of security by adding access enforcement flexibility. The system could automatically block login attempts outside a desired geographic area. It could also block logins during certain times or when other contextual factors aren’t met.


Do You Need Help Improving Your Identity & Access Security?


Multi-factor authentication alone isn’t enough. Companies need several layers of protection to reduce their risk of a cloud breach.  Are you looking for some help to reinforce your access security? Give us a call today to schedule a chat >


multifactor authentication, password management, cybersecurity, push bombing


Article used with permission from The Technology Press.

Laptop and smart phone with the same work files show on the screens
by The Orbital10 Team 18 November 2024
If you work on your phone while you’re on the move, it can be a hassle to find the right file once you’re back at your PC. Here we tell you about a cool new feature coming to Windows 11 that will help.
Two toy businessmen looking at missing jigsaw pieces over the words 'dropdown menu'
by The Orbital10 Team 11 November 2024
Having trouble finding the sign out button in Windows 11? You’re not the only one! Luckily, Microsoft have listened… find out more here.
Someone typing in their login details on a laptop
by The Orbital10 Team 4 November 2024
A sneaky new malware wants to annoy you into giving up your login details. It locks your browser in full screen mode, making you think you’re trapped… But you can easily escape and we’ll tell you how…
Laptop open with the Microsoft Edge icon on the screen
by The Orbital10 Team 26 October 2024
Trying to find your way through the Settings menu in Microsoft Edge might leave you overwhelmed but a new update is about to make it easier. Here we tell you how.
Computer screen showing data backup files that are getting corrupted
by The Orbital10 Team 21 October 2024
Your business data is backed up and recovery tools are in place. So, your data is safe, right? Sadly… not always. Here’s why we recommend backups are checked regularly..
Business man smacking his forehead after making a mistake
by The Orbital10 Team 7 October 2024
You’ve hit send on an important email - then you notice a typo. Windows 11 lets you spellcheck and autocorrect across most of its apps. Here we help you to set it up
Robotic AI arm holding a graphic of a robot and graphics of technology
by The Orbital10 Team 30 September 2024
Tried Microsoft Copilot yet? It’s a smart tool baked into the applications you use every day, that could save you time. Here are some cool ways it can help.
Person on laptop and using their smart phone to complete multi-factor authentication
by The Orbital10 Team 10 September 2024
Microsoft recently announced that all Azure sign-ins will soon require multi-factor authentication (MFA) to boost security. Even if you don’t use Azure, a cloud computing platform, this is something you should pay attention to. Because MFA is one of the simplest and most effective ways to protect your digital assets.
Man sitting with open laptop that has  the words 'installing updates' on the screen
by Orbital10 Team 2 September 2024
If you’re like most people, you probably find system updates a hassle. They take ages and those big downloads eat up precious bandwidth and storage. Good news then: Microsoft is about to make your life a whole lot easier with the upcoming Windows 11 24H2 update. It’s introducing something called ‘checkpoint cumulative updates.’ That might sound a bit technical, but don’t worry – it’s simple and very beneficial. Find out more in our blog post...
A cartoon lemon looking worried and upset, standing on a laptop
by Orbital10 Team 28 August 2024
Buying a used laptop can be a great way to save money. But it comes with risks. You need to be careful and thorough in your evaluation. Otherwise, you could end up wasting your money. You can’t only look at the outside when evaluating technology. This guide will help you understand what to look for when buying a used laptop (or desktop PC). These steps can keep you from losing money on a bad tech decision.
More posts
Share by: